Samsung Vision AI Promotion Rules

NOTICE ON COLLECTION AND USE OF PERSONAL DATA

Samsung Electronics Austria GmbH, with its registered office at Praterstrasse 31/14 Obergeschoss, Vienna, Austria (hereinafter referred to as the "Controller"), hereby informs you about the processing of personal data:

1. Data Controller

The Data Controller is Samsung Electronics Austria GmbH, with its registered office at Praterstrasse 31/14 Obergeschoss, Vienna, Austria, via Samsung Electronics Austria GmbH, Zagreb Branch (hereinafter referred to as the "Controller").

2. Data Collected

The Controller will collect and process the following personal data:

• Full name
• Customer's address for Device delivery
• Customer's contact phone number
• IMEI number and serial number of the purchased Device
• Copy/scan of the fiscal receipt or delivery note for the purchased Device

(hereinafter collectively referred to as "Personal Data").

3. Purpose of Personal Data Collection

The Controller will collect and process the aforementioned Personal Data exclusively for the purpose of verifying eligibility for the "Samsung Vision AI is here" promotion and for delivering the Gift if the user/customer is entitled to it.

4. Use of Personal Data

Personal Data collected based on consent will be used exclusively for the aforementioned purposes by the Controller, in accordance with the Personal Data Protection Act (the "Act") and the Controller's Privacy Policy attached hereto.

5. Legal Basis for Data Processing

The Controller collects and processes Personal Data based on the voluntary consent of the data subject.

6. Personal Data Retention Period

Personal Data will be stored only for as long as necessary for the fulfillment of the stated purpose, and in any case, no longer than 6 months from the date of purchase.

7. Your Rights

The personal data collection Controller will, upon the participant's request, supplement, modify, update, and delete Personal Data if the data is incomplete, inaccurate, or outdated, or if its processing is not in compliance with the law, or if the purpose of data collection has been fulfilled. For more information, please consult our Privacy Policy or contact us by email at dataprotection.sead@samsung.com.

If participants believe that the processing of their personal data violates their privacy, they may contact the personal data processing Controller or the Personal Data Protection Agency and request an explanation.

8. Other Information

For detailed information on the measures taken for the storage of Personal Data and any potential disclosure of Personal Data, please read our Privacy Policy.

DATA PROTECTION POLICY

Effective Date: May 2018.

Samsung Electronics Austria GmbH and its affiliated entities (hereinafter referred to as "Samsung", "we", "us", "our") understand the importance of privacy for our staff, suppliers, customers, and others with whom we collaborate, and strive for clarity regarding how we collect, use, disclose, transfer, and store personal data. Below are the main questions covered by our Data Protection Policy.

Table of Contents:

1. Scope and Purpose
2. Responsibility for Compliance
3. Our Obligations
4. Definitions
5. GDPR Principles
6. Special Categories of Personal Data
7. Sharing of Personal Data (including transfers outside the EEA)
8. Profiling and Automated Decision-Making
9. Direct Marketing
10. Record Keeping
11. Individual Rights of Data Subjects
12. Procedure in Case of Data Security Breach
13. Policy Updates
14. Useful Contact Information
15. Annex 1: Privacy Notice

1. Scope and Purpose

This policy defines the rules for data protection and the legal conditions that must be met when acquiring, handling, processing, storing, transferring, and destroying personal data.

The types of information we will handle include details about current, past, and potential staff members, suppliers, customers, and other individuals with whom we communicate. Data held on paper or computer is subject to specific legal protection measures outlined in the General Data Protection Regulation ("GDPR") and applicable law(s), which provide restrictions on how we may use this information.

Maintaining the highest standards in our handling of personal data is both a collective and individual responsibility, and this policy applies to how we acquire, use, store, and otherwise process the personal data we use in our business operations. It outlines key data obligations applicable to us as an organization, and includes the expectation that you will play your part in compliance.

This data protection policy applies to every Samsung employee and other personnel providing services to Samsung (including, but not limited to, contractors and agency staff) (collectively referred to as "personnel"). All personnel are required to ensure they understand this policy and adhere to it concerning any personal data they access in the course of their work.

2. Responsibility for Compliance

Responsibility for overseeing data protection compliance, including adherence to this policy, lies with our Data Protection Officer, whose contact details can be found at the end of this policy.

Individuals in management positions are responsible for data protection compliance within their teams.

If you believe this policy has not been followed regarding your personal data or that of others, you should raise the issue with your immediate manager or the human resources or legal departments.

3. Our Obligations

The GDPR stipulates significant fines against organizations that violate its provisions. Depending on the type of violation, organizations may face fines exceeding 20 million Euros or 4% of their total global annual turnover in the preceding financial year. These substantial fines increase the risk exposure concerning data protection compliance.

4. Definitions

The following definitions may be useful when reading this policy:

Criminal record data refers to information related to criminal offenses and convictions against a specific person.

Data Controllers are individuals or organizations that determine the purpose and method of processing personal data. They are responsible for establishing practices and policies in accordance with GDPR. We are the controllers of all personal data used in our business. Our suppliers, consultants, and contractors may also be data controllers.

Data Subjects for the purpose of this policy includes all living individuals whose personal data we hold, including current, past, and prospective customers, suppliers, agents, investors, and our staff members. A data subject does not have to be a citizen or resident of Bosnia and Herzegovina. All data subjects have specific legal rights concerning their personal data.

Personal data refers to data relating to a living person who can be identified from that data (or from that data or other information we hold). Personal data can be factual (such as name, address, or date of birth) or an opinion (such as performance appraisal). The definition of "personal data" used in GDPR and applicable data protection law is very broad and allows a wide range of personal identifiers to be classified as personal data. This includes name, identification number, and location data.

Processing is any activity involving the use of personal data. It includes obtaining, using, viewing, recording, or holding data, or carrying out any action or set of actions including organizing, altering, retrieving, using, disclosing, deleting, or destroying data. Processing also includes transferring personal data to third parties.

Special categories of personal data (formerly known as sensitive personal data) include information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, or sexual life, as well as genetic and biometric data, when used to identify an individual.

5. GDPR Principles

Any person processing personal data must act in accordance with the applicable good practice principles defined in GDPR, which Samsung is obliged to adhere to.

• We will process personal data lawfully, fairly, and transparently (see section "Lawfulness, Fairness, and Transparency").
• We will collect personal data for specified, explicit, and legitimate purposes; we will not process it in a manner incompatible with those purposes (see section "Purpose Limitation and Data Minimisation").
• We will process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (see section "Purpose Limitation and Data Minimisation").
• We will ensure that personal data is accurate and, where necessary, kept up to date; where data is inaccurate, we will take every step to erase or rectify it without delay, considering the purposes for which the data is processed (see section "Accuracy").
• We will refrain from storing personal data in a form that permits identification of the data subject for longer than is necessary for the purposes for which the data is processed (see section "Storage Limitation").
• We will implement appropriate technical or organizational measures to ensure the security of personal data, which will include protecting it from unauthorized or unlawful processing or accidental loss, destruction, or damage (see chapter "Integrity and Confidentiality").

Further details on each of these principles follow.

5.1. Lawfulness, Fairness, and Transparency

The applicable data protection law(s) aim not to prevent the processing of personal data, but to ensure it is done fairly and without detriment to the data subject's rights.

For personal data to be processed lawfully, one of the legal bases for processing must be met. These bases include: the data subject must give explicit and voluntary consent to the processing; processing is required by law; processing is necessary for the performance of a contract with the data subject; or processing is necessary for the legitimate interests of Samsung or the recipient of the data (unless these interests are overridden by the individual's interests, fundamental rights, or freedoms). Before we begin processing personal data (e.g., before collecting personal data from someone), we consider our data collection purposes and why we need that data. We also identify the legal basis that allows us to obtain and process this information lawfully.

The data subject must be provided with certain information, including (but not limited to) who the Data Controller is, the purpose(s) for which the data is processed, the legal basis for data processing, the identities of any persons to whom the data may be disclosed or transferred, and the data subject's rights concerning their personal data. This information must be provided through appropriate privacy notices or fair processing notices.

5.2. Purpose Limitation and Data Minimisation

Personal data may only be processed for the specific purposes for which the data subject was informed at the time of first obtaining the data, or for any other purposes explicitly permitted by applicable law(s). This means personal data cannot be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which data is processed, the data subject will be informed of the new purpose before any processing occurs.

5.3. Accuracy

Personal data must be accurate and up-to-date. Information that is incorrect is inaccurate, and therefore steps must be taken to verify the accuracy of any personal data at the point of collection, and then periodically thereafter. Inaccurate or outdated data should be destroyed. When you become aware that personal data we process is inaccurate, you must inform your manager/data processing contact person and take the necessary steps to destroy or amend it, taking into account our data retention policy requirements where applicable.

5.4. Storage Limitation

Personal data should be kept in a form that does not permit identification of the data subject for longer than is necessary for the purposes for which the data is collected. This means data must be destroyed or deleted from our systems when it is no longer needed, or personal data should be anonymized.

After the retention period expires, unless there is a valid business reason for retention beyond that period (e.g., if the data subject has initiated legal proceedings against us and the retained personal data is relevant to such proceedings), records containing personal data will be securely and effectively destroyed.

5.5. Integrity and Confidentiality

Maintaining data security means guaranteeing the confidentiality, integrity, and availability of personal data, according to the following definitions:

• Confidentiality means that data can only be accessed by individuals authorized to use the data.
• Integrity means that personal data must be accurate and appropriate for the purpose for which it is processed, and reliable throughout its lifecycle (i.e., it cannot be altered by unauthorized persons).
• Availability means that authorized users must be able to access data when they need it for permitted purposes. Personal data should therefore be stored on our central computer system rather than on individual personal computers.

Security procedures include:

• Access Controls: Report any unauthorized person observed in areas with access control.
• Securing Lockable Desks and Cabinets: Keep desks and cabinets locked if they contain confidential data of any kind. (Personal information is always considered confidential.)
• Destruction Methods: Paper documents should be shredded. Floppy disks and CD-ROMs should be physically destroyed when no longer needed.
• Equipment: Samsung personnel must ensure that confidential data is not displayed on individual monitors to passers-by, and must log out of their personal computers when unattended.

6. Special Categories of Personal Data

From time to time, it may be necessary for us to process special categories of personal data. We will only process special categories of personal data when we have a legal basis for processing personal data (see section 5 of this policy) and when one of the special conditions for processing special category data applies. These special conditions include, but are not limited to, the following cases:

• The data subject has given explicit consent.
• Processing is necessary for the purposes of exercising rights or obligations of Samsung or the data subject under employment law.
• Processing is necessary to protect the vital interests of the data subject, and the data subject is physically unable to give consent.
• Processing relates to personal data that the data subject has made public.
• Processing is necessary for the establishment, exercise, or defense of legal claims.
• Processing is necessary for reasons of substantial public interest.
• Processing is necessary for assessing an employee's work capacity.

Special categories of personal data will not be processed until:

• The aforementioned assessment has been carried out; and
• The person to whom the personal data relates has been duly informed (through a privacy notice or otherwise) of the nature of the processing, the purposes for which it is carried out, and the legal basis.

7. Sharing of Personal Data (including transfers outside the EEA)

Personal data may only be transferred to third-party service providers who agree to comply with the required policies and procedures, as well as any relevant contractual terms, and who agree to implement adequate measures, in accordance with the requirements.

Personal data may be shared with another member of our group (which includes our affiliated entities, as well as our ultimate holding company, along with its subsidiaries) if the recipient needs the information for business-related reasons, and if the transfer complies with applicable cross-border data transfer restrictions (see below).

Data protection laws restrict the transfer of data to countries outside the European Economic Area (hereinafter referred to as the "EEA") to ensure that the necessary level of data protection is not compromised. You transfer personal data originating in one country across borders when you transmit, send, view, or access that data in another country or to another country. Special permission must be sought from the local legal department/data protection office before transferring personal data across borders to verify that the necessary conditions are met.

8. Profiling and Automated Decision-Making

There are significant limitations on the circumstances under which automated decisions can be made about individuals (where a decision is made solely automatically without any human involvement). This is also the case when it comes to profiling (which is the automated processing of personal data to evaluate certain things about individuals, for example, whether they might like a particular product).

This type of decision-making may only be applied where it is necessary for the performance of a contract, where it is permitted by law, or in cases where the individual gives their explicit consent. Furthermore, individuals have the right to receive information about decision-making and have certain rights that must be communicated to them, including the right to request human intervention or to contest a decision, and there are strict limitations on the use of special category data for this type of decision-making.

In any case, all profiling activities will be processed in full compliance with all applicable laws.

9. Direct Marketing

We respect the strict data protection requirements concerning direct marketing.

10. Record Keeping

It is important that we can demonstrate our compliance with data processing principles. Where required, we maintain appropriate records concerning our handling of personal data. This may specifically include records of our legal basis for processing personal data, records of data sent to data subjects, and records of our personal data processing.

11. Individual Rights of Data Subjects

Data must be processed in accordance with the rights of data subjects. Data subjects have the right to:

• If they have consented to data processing, withdraw their consent for processing at any time (and this must be as easy as giving consent).
• Be provided with clear, transparent, and easily understandable information about how their personal data is used (which is why we provide the privacy notice).
• Request access to any data that the Data Controller holds about them.
• Request the amendment and rectification of inaccurate data.
• Request that data held about them by the Data Controller be erased when certain conditions stipulated by applicable law(s) are met.
• Request restriction of processing when certain conditions stipulated by applicable law(s) are met.
• Request the portability of personal data to another Controller when certain conditions stipulated by applicable law(s) are met.
• Object to the processing of personal data when certain conditions stipulated by applicable law(s) are met.
• Not be subject to a decision based solely on automated processing, including profiling, where it has legal or other significant effects on them, unless they have explicitly consented to it, or where it is necessary for the conclusion or performance of a contract with them.
• Lodge a complaint with the Information Commissioner or Personal Data Protection Authority regarding our data processing, providing the following details, although we encourage the data subject to inform us of any concerns they have so that we can try to resolve them.

When you know that a data subject wishes to exercise any of their rights, you should contact the Legal Affairs / Data Protection Office. It may be necessary to take appropriate steps to identify the person making the request.

A formal request for access to information held by Samsung Electronics Austria GmbH, Zagreb Branch about a data subject (the requester) can be submitted in writing, using Annex 2 (Data Subject Access Request Form). However, data subject requests for access to data do not have to be formal or in writing (they can be submitted, for example, via social media or by phone). Any staff member who receives a request (whether submitted using the prescribed form or not) should immediately forward it to the Data Protection Officer and/or the Legal and Compliance team. If you are unsure whether a request has been made, you should discuss the circumstances with them.

The Data Protection Officer will respond to every request within 30 days of receipt, with certain exceptions (unless applicable law provides for a shorter period, in which case that shorter period will apply). If Samsung is unable to provide the requested personal data, the reasons for this will be fully documented, and the data subject will be informed in writing. The data subject will also be provided with details of the relevant supervisory authority to whom a complaint may be made, as required by applicable law(s).

12. Procedure in Case of Data Security Breach

A data security breach is defined as "a breach of security that leads to accidental or intentional destruction, loss, alteration, unauthorized disclosure, or other processing." A breach does not necessarily mean that personal data has been externally disclosed without relevant authorization, but it can mean that someone has accessed it internally without proper permission.

We are obliged to notify the relevant regulatory authority of certain data security breaches, and, in more limited cases, the data subject themselves.

13. Data Access Authorizations

Authorization to access personal data collected and/or used by Samsung Electronics Austria GmbH, Zagreb Branch is granted only to the following individuals:

• For customer personal data collected via websites established for specific marketing purposes:
  • Authorized legal representatives of Samsung Electronics Austria GmbH, Zagreb Branch
  • Marketing managers whose job responsibilities include handling personal data collected for specific marketing purposes

14. Useful Contact Information

You can contact the Data Protection Service at:

Samsung Electronics Austria GmbH, Zagreb Branch, Radnička cesta 37b, Zagreb, Republic of Croatia

Email: Please contact us by sending an email to dataprotection.sead@samsung.com.